Cyber Risk Modeling: A Discrete Multivariate Count Process Approach

Abstract

In the past decade, cyber insurance has raised much interest in the insurance industry, and cyber risk has evolved from a type of pure operational risk to both operational and liability risk for insurers. However, the modeling of cyber risk is still in its infancy. Compared with other insurance risks, cyber risk has some unique features. In particular, discrete variables regularly arise both in the frequency component (e.g. number of events per unit time), and the severity component (e.g. the number of data breaches for each cyber event). In addition, the modeling of these count variables are further complicated by nonstandard properties such as zero inflation, serial and cross-sectional correlations, as well as heavy tails. Previous cyber risk models have largely focused on continuous models that are incompatible with many of these characteristics. This paper introduces a new count-based frequency-severity framework to the insurance literature, with a negative binomial autoregressive process for the multivariate frequency component, and the generalized Poisson inverse-Gaussian distribution for the severity component. We unify these new modeling tools by proposing a tractable Generalized Method of Moments for their estimation and apply them to the Privacy Rights Clearinghouse (PRC) dataset.